Detection Engineering for Windows

Detection engineering, especially threat hunting, is a hot topic at the moment. The thing is, this entails a lot more than randomly digging through data or copy pasting queries you've found on the internet.

Understanding techniques or tooling an attacker utilizes, the various options they can use and what kind of indicators can be extracted from them, helps you build proper hunts and automated detection capabilities. This process is called detection engineering. The detection engineering process is a *crucial* factor in the whole chain to be truly effective in being able to catch any attacker in your network.

This 2-day training focuses on the whole detection engineering cycle, from defining a hunt to researching the relevant techniques to building the hunting logic and executing it on a large dataset. Log data obviously is a very important factor here; after executing various variants of an attack we’ll examine all available data to see what kind of indicators were generated and which ones are of use with an acceptable false positive rate. Finally, the training largely consists of hands-on exercises for the students to actually build detection engineering for their organizations.


This training is powered and delivered by FalconForce


Day 1 - Pre-Hunt activities
  • Introduction
  • Hunting principles
  • Different ways of hunting
  • Using and understanding MITRE ATT&CK
  • Understanding your adversaries and their techniques
  • Understanding and assessing (your) data
  • Information resources
  • Using threat information
  • Exercise : Research a technique and assess your visibility
  • Data sources and hunt tooling
  • Exercise : Defining a hunt from threat information
  • Define the analytics for your hunt
  • Exercise: Executing your hunt
  • Reporting your findings
Day 2 - Building your detection engineeering
  • Recap day 1
  • Setup and Splunk intro
  • Threat Hunting application introduction
  • Other Hunt tooling
  • Threat briefing
  • CTF Style lab
  • Findings evaluation session
  • Validation of your results
  • Drinks and end
  1. Laptop with a modern browser;
  2. VMWare, VirtualBox or Parallels installed.
  3. 16Gb RAM / 30GB diskspace

More preparations and relevant documentation will be shared with the students in advance of the training.

Why is your material different, innovative, and/or significant?

Educating people to not just trust the information they find online, which is often incomplete. They will learn to build their own research workflow, document this and create a solid investigative workflow. We believe that by doing so, we are able to create a new generation of specialists that contribute to a more resilient digital society.

What tools are used during your training (if applicable)?

  • Loads of windows applications
  • PowerShell scripts
  • Splunk
  • Windows 10 Virtual Machine
  • Sysmon

Has this training been given anywhere else? If so, where?

This is a newly developed training, based on years of experience from our trainers. The content was been used in a Threat Hunting workshop held at DefCon Las Vegas 2019, in addition it was selected for Troopers2020, one of the most relevant conferences for Detection Engineering and Threat Hunting.


BCN Arena, Next to Amsterdam Arena Trainstation
Atlas Arena Complex
Building Azië - 5th level
Hoogoorddreef 5
1101 BA Amsterdam
Phone: 020 - 5 677 980


For this two day training we charge € 1500,- per participant, excluding taxes.


8:30 - 9:00Walk in with coffee and tea
9:00 - 12: 00Course
12:00 - 13:00Lunch
13: 00 - 17:00Couse
17: 00 - 18:00Drinks (not obligated)


  1. Olaf Hartong Olaf Hartong Co-Founder & Defensive specialist @ FalconForce

    Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in bl..

    Meer over Olaf Hartong

    Bekijk op Linkedin

  2. Gijs Hollestelle Co-Founder & Security specialist @ FalconForce

    Gijs is an Offensive Specialist at FalconForce, with an affinity for Defense. He has over 15 years of experience in digital security, with a long track record in red teaming, advanced security testing..

    Meer over Gijs Hollestelle

    Bekijk op Linkedin